Can nginx do TCP load balance with SSL termination

Question

Due to some reason, I need to set up Nginx TCP load balance, but with SSL termination. I am not sure whether Nginx can do this. Since TCP is layer 4, SSL is layer 5, SSL pass-thru definitely work. But with SSL-termination?

Answer 1

Nginx can act as L3/4 balancer with stream module: https://www.nginx.com/resources/admin-guide/tcp-load-balancing/

Because SSL still tcp - Nginx can proxy SSL traffic without termination.

Also stream module can terminate SSL traffic, but it's optional.

Example 1: TCP tunnel for IMAP over SSL without SSL termination

stream {
    upstream stream_backend {
        server backend1.example.com:993;
        server backend2.example.com:993;
    }
    server {
        listen 993;
        proxy_pass stream_backend;
    }
}

In this case, SSL termination processed by backend1/2.

Example 2: TCP tunnel for IMAP with SSL termination.

stream {
    upstream stream_backend {
        server backend1.example.com:443;
        server backend2.example.com:443;
    }
    server {
        listen 993 ssl;
        proxy_pass stream_backend;
        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;
    }
}

In this case traffic between nginx and backend1/2 unencrypted (IMAP 443 port used).

Example 3: Receive unencrypted and encrypt it

stream {
    upstream stream_backend {
        server backend1.example.com:993;
        server backend2.example.com:993;
    }
    server {
        listen 443;
        proxy_pass stream_backend;
        proxy_ssl  on;
        proxy_ssl_certificate     /etc/ssl/certs/backend.crt;
        proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
    }
}

So, clients connect to our nginx without SSL and this traffic proxed to backend1/2 using SSL encryption.